Bug 177451

Summary: [ieee80211] page fault in ieee80211_tx_mgt_timeout
Product: Base System Reporter: Davide Italiano <davide>
Component: wirelessAssignee: freebsd-wireless (Nobody) <wireless>
Status: Closed FIXED    
Severity: Affects Only Me CC: avos
Priority: Normal Keywords: panic
Version: 9.1-RELEASE   
Hardware: Any   
OS: Any   

Description Davide Italiano freebsd_committer 2013-03-28 21:50:00 UTC
Here's a report with all the informations:
http://people.freebsd.org/~davide/reports/adrian.txt
Comment 1 Mark Linimon freebsd_committer freebsd_triage 2013-03-28 22:38:47 UTC
Responsible Changed
From-To: freebsd-bugs->freebsd-wireless

Over to maintainer(s).
Comment 2 PseudoCylon 2013-03-29 21:21:58 UTC
http://fxr.watson.org/fxr/source/net80211/ieee80211_output.c?v=FREEBSD91#L2506
enum ieee80211_state ostate = (enum ieee80211_state) arg;
casting a pointer to an enum

http://fxr.watson.org/fxr/source/net80211/ieee80211_output.c?v=FREEBSD91#L2519
if (vap->iv_state == ostate)
So that, this test is always false -> callout_reset() will never be
called -> by the time the callout timer runs out, ni could be freed.
Comment 3 PseudoCylon 2013-03-29 22:37:20 UTC
Oops. The code casts the enum to the pointer to begin, so it works.

Sorry, for the noise.

On Fri, Mar 29, 2013 at 3:21 PM, PseudoCylon <moonlightakkiy@yahoo.ca> wrote:
> http://fxr.watson.org/fxr/source/net80211/ieee80211_output.c?v=FREEBSD91#L2506
> enum ieee80211_state ostate = (enum ieee80211_state) arg;
> casting a pointer to an enum
>
> http://fxr.watson.org/fxr/source/net80211/ieee80211_output.c?v=FREEBSD91#L2519
> if (vap->iv_state == ostate)
> So that, this test is always false -> callout_reset() will never be
> called -> by the time the callout timer runs out, ni could be freed.
Comment 4 Eitan Adler freebsd_committer freebsd_triage 2018-05-28 19:49:04 UTC
batch change:

For bugs that match the following
-  Status Is In progress 
AND
- Untouched since 2018-01-01.
AND
- Affects Base System OR Documentation

DO:

Reset to open status.


Note:
I did a quick pass but if you are getting this email it might be worthwhile to double check to see if this bug ought to be closed.
Comment 5 Andriy Voskoboinyk freebsd_committer 2019-01-31 10:26:26 UTC
Fixed in base r257065 (node may be freed during callout delay -> virtual interface pointer is passed instead).